Media Coverage Archive

Friday | December 23, 2016

Apple Delays App Transport Security Deadline

ThreatPost | By Tom Spring – Apple backtracked on its plan to enforce a year-end deadline that would of required developers to move apps to an HTTPS-only model in an effort to thwart eavesdropping on insecure, plaintext HTTP connections. On Wednesday Apple said a requirement for developers to adopt App Transport Security would be extended. It did not set a new deadline.

The introduction of App Transport Security (ATS) has been a priority for Apple. At its Worldwide Developers Conference in 2015 it introduced ATS detailing the importance of the transport security standards, explaining how the collection of technologies are designed to provide security for data that’s sent between iOS and macOS apps and back end servers. At WWDC 2016 Apple warned developers to be ready for a Dec. 31, 2016 deadline for adoption.

“At WWDC 2016 we announced that apps submitted to the App Store will be required to support ATS at the end of the year. To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed,” Apple wrote.

App Transport Security was introduced with iOS 9 and OS X v10.11. ATS is a collection of technologies that includes TLS 1.2, AES-128 and SHA-2. It also includes perfect forward secrecy, a key-exchange method that protects encrypted sessions even if the server certificate is compromised at a later date. At the time, Apple said support for forward secrecy would be implemented in ATS at a later date.

Apple didn’t reply when asked what percentage of developers had adopted ATS or why it extended the deadline. However, a study by Appthority released earlier this month suggested that most app developers aren’t ready for Apple’s ATS requirements.

In the study, Appthority said of the top 200 most common iOS enterprise apps 97 percent used ATS exceptions and utilized settings not in line with default ATS configurations.

“We found that, surprisingly, only 3 percent of apps in our study implement ATS with no exceptions,” according to the study.

As part of the rollout of ATS Apple had given developers a list of exceptions to ATS they could request such as not require HTTPS when apps used encrypted video streams and connecting to a specific HTTP address. Among the top iOS apps not using 100 percent HTTPS were Facebook, LinkedIn, CNN, Netflix, Microsoft Word and Skype, according to Appthority.

Compared to the number of Android apps that use 100 percent HTTPS, researchers found iOS apps are doing a lot better. “Among the top 200 Android apps, 160 apps (80 percent) do not use HTTPS. iOS apps’ use of HTTPS is significantly higher than Android at this time–and is expected to improve even further as of January, 2017,” Appthority wrote.